core: Add optional unix socket file permissions #4741
Conversation
|
|
8284a18 to
db1cdc4
Compare
|
Forgive me if I'm forgetting something, but is there a reason to expose the full array of access modes? From what I gather by reading I tested this locally as well, by using netcat to listen on a Unix socket and trying to connect to it with another netcat from a different terminal window. I tested the modes |
|
I am genuinely confused about that. Literally every single socket implementation and mentioning of them I've seen so far uses So I did some more research, I noticed some hosted versions of the unix(7) man page stated12
As it turns out, quite a few host outdated man pages. mkerrisk/man-pages@b1ef409 (year 2016)
and a follow-up commit the same day mkerrisk/man-pages@7578ea2
My whole life has been a lie /s I guess we should lower the permissions down to Thanks @sybereal! Footnotes |
|
@IndeedNotJames Did we want to try to merge this for 2.6 or wait? I can't recall if you wanted to do more with this, or just merge it for now and iterate on it later? |
|
I did resolve the merge conflict locally and started working on #4869, just before I went on vacation (back now). Originally, I wanted to defer any additional features and just have it merged. I should be able to have it review-ready (again) by the day after tomorrow with group names as requested in #4869 :) |
|
@IndeedNotJames Cool. Now that you say that, and if we're going to just do one PR, maybe it would be better to put this in after 2.6 since I don't want to break anything more than I already have 😶 haha. 👍 Thank you for working on this! |
|
@IndeedNotJames I think we can probably merge this soon, could you fix the conflicts? |
|
I originally stopped working on it again after @mholt's comment suggesting postponing it until after But I also get that this is, as of now, the oldest open PR in this repo. Will prefix the PR with WIP for now. |
|
Just as a note to myself: |
|
Ah yeah 😕 Sorry about that... thanks, Windows. |
This is not the first time someone has said that, and it will not be the last. |
|
@IndeedNotJames any time to wrap this up in the coming months? Anything I can help with? Is the Windows parsing the last outstanding issue? |
|
@jameshartig I'd love to hear about your use-case :) I've eventually felt like this feature is incredibly niche and essentially no one wants it. I will pick this PR back up if this isn't the case. Just out of interest: Do you just need |
|
@IndeedNotJames Our use-case is that we want to set the perms for the admin unix socket to |
|
@IndeedNotJames Our use-case for this is that we have a master caddy that serves each user's website by reverse-proxying the unix-socket of the user's local caddy instance. |
|
For those who replied above with use cases: does every Unix socket need its own, separate permissions? Or can they all have the same permission bits? |
|
@gi-yt FYI a better workaround (for now) would be to modify the systemd service's |
|
We talked on slack about using |
@mholt see my earlier reply:
|
|
Oops, yeah... I'm going blind. Thanks for highlighting that. |
This commit also changes the default unix socket file permissions to `u=w,g=,o=` (octal: `0200`). It used to default to the shell's umask (usually `u=rwx,g=rx,o=rx`, octal: `0755`). `/run/caddy.sock` -> `/run/caddy.sock` with `0200` default perms `/run/caddy.sock|0222` -> `/run/caddy.sock` with `0222` perms `|` instead of `:` is used as a separator, to account for the `:` in Windows drive letters (e.g. `C:\absolute\path.sock`) Fun fact: The old unix(7) man page (pre Jun 2016) stated a socket needs both read and write perms. Turns out, only write perms are needed. Corrected in mkerrisk/man-pages@7578ea2 Despite this, most implementations still default to read+write to this date.
d5c2bb1 to
7ef6206
Compare
|
Cool!! I will review this soon! Dare we try to put this in 2.7? |
|
It seems to work fine on windows with relative and absolute paths. So the sockets do not work without write permission and they can also not be deleted by caddy when exiting if there is no write permission (obviously). Question is, if we want to protect against that. Meaning require at least write permissions on one of the permission bits or always on the owner bit? Just some food for thought. Also I would like some test cases with windows paths. Meaning with backslashes and with an absolute path. Just to be safe. |
|
No objections from me :^) |
Yay! This is currently a blocker for us rolling out Caddy more broadly internally so I would love for it to be in 2.7 😉 |
|
You got it. Thanks @emilylange for the great enhancement. |
Closes #4675
Allows one to specify the wanted socket permissions like so:
unix//path/to/unix.sock|0666(unix socket at/path/to/unix.sockwith0666(ugw=rw)The leading
0is optional.unix//path/to/unix.sock|666would yield the same permissions.Using
:u=rw,r=rw,=o=rwwill not work. This could, however, be added fairly easily later.This commit also changes the default unix socket file permissions to
u=rw,g=rw,o=(0660).It used to default to the shell's umask.
However, the fact that caddy used to default to the umask hasn't been documented anywhere as far as I am aware.
The only mentions I know of are my two comments in https://caddy.community/t/new-user-cant-get-darkweb-site-host-working/15491/12 and #4675.
So I would argue this isn't strictly a deprecation 🤔
Though changing the default to
0600might be more on par with the umask:Excerpt taken from the linked issue:
I've also added a unit test for the new function
splitUnixSocketPermissionsBits().I am not too happy with its name, but I think it gets the point across anyway 🤷♀️
An addition integration test might make sense, since the actual
os.Chmod()only happens at runtime.